Firefox 149 Released With a Patch for 37 Security Holes That Let Attackers Attack Remotely

On March 24, 2026, Mozilla released Firefox 149, which included one of the biggest security warnings in the browser's recent history. The update fixes 37 security holes, including those that let memory corruption, sandbox escapes, use-after-free flaws, and remote code execution happen. Mozilla gives the security update an overall "high" impact rating.

There are 37 CVEs, and they are spread out over three levels of severity: 16 are high, 17 are moderate, and 4 are low. This release fixes the most serious security holes, such as several memory corruption and sandbox escape problems. This is a big step forward because it's the first time an AI-assisted contribution with multiple CVEs has been made to a major browser security advisory. This is the first time Mozilla has put out a big security advisory that was helped by AI and multiple CVEs.

You can get the advisory from the Mozilla Web App Store and the Google Play Store. All of the vulnerabilities affect versions of Firefox that are older than 149. The moderate-severity tier has a lot of problems in the Canvas2D, Graphics, Audio/Video, and JavaScript Engine parts.

Users should update to Firefox 149 right away using the browser's built-in updater or by going to Mozilla's official website and downloading it directly. Mozilla's release notes say that organizations that manage enterprise deployments should make patching a top priority because this release has a lot of sandbox-escape and remote-code-execution vectors. Jun Yang, Satoki Tsuji, Aswinkumar Gokulakannan, Hanno Boeck, and Jan Horak all told about the problems.

The fixes include bugs in the XML and NSS libraries that make it possible to deny service and a problem with spoofing in the Privacy: Anti-Tracking component (CVE-2026-4728).